Blogs

PKI Benefits - Why PKI?

< it.="" signed)="" digitally="" (and="" issued="" which="" ca="" the="" compromising="" of="" short="" forged,="" be="" cannot="" dc="" a="" that="" is="" mind="" in="" bear="" to="" fact="" crucial="" the="" this.="" supports="" and="" enables="" infrastructure="" pki="" (ca),="" authority="" certification="" trusted="" by="" anybody,="" available="" made="" published="" actually="" are="" keys="" public="" means="" (dcs)="" certificates="" digital="" key.="" private="" corresponding="" using="" decrypted="" only="" can="" key="" encrypted="" data="" key,="" user,="" owning="" known="" whereby="" pair,="" involving="" encryption,="" asymmetric="" basis="" technical="" all.="" at="" accomplished="" otherwise="" not="" could="" tasks="" cases,="" most="" but="" means,="" other="" well,="" less="" usually="" accomplished,="" doing="" ways="" simply="" some="" important).="" all="" they="" –="" importance="" order="" any="" (not="" follows="" as="" (pki)="" infrastructure="" key="" public="" from="" benefits="" main="">The main benefits available from a Public Key Infrastructure (PKI) are as follows (not in any order of importance – they are all important). Some are simply ways of doing tasks which could be accomplished, usually less well, by other means, but in most cases, the tasks could not otherwise be accomplished at all. The technical basis is asymmetric key encryption, involving a public/private key pair, whereby data encrypted using the private key, known only to the owning user, can only be decrypted using the corresponding public key, available to anybody, and data encrypted using the public key can only be decrypted using the corresponding private key. Digital Certificates (DCs) are the means by which public keys are actually published and made available to anybody, by a trusted Certification Authority (CA), and the PKI is the infrastructure which enables and supports this. The crucial fact to bear in mind is that a DC cannot be forged, short of compromising the CA which issued (and digitally signed) it.

< it.="" signed)="" digitally="" (and="" issued="" which="" ca="" the="" compromising="" of="" short="" forged,="" be="" cannot="" dc="" a="" that="" is="" mind="" in="" bear="" to="" fact="" crucial="" the="" this.="" supports="" and="" enables="" infrastructure="" pki="" (ca),="" authority="" certification="" trusted="" by="" anybody,="" available="" made="" published="" actually="" are="" keys="" public="" means="" (dcs)="" certificates="" digital="" key.="" private="" corresponding="" using="" decrypted="" only="" can="" key="" encrypted="" data="" key,="" user,="" owning="" known="" whereby="" pair,="" involving="" encryption,="" asymmetric="" basis="" technical="" all.="" at="" accomplished="" otherwise="" not="" could="" tasks="" cases,="" most="" but="" means,="" other="" well,="" less="" usually="" accomplished,="" doing="" ways="" simply="" some="" important).="" all="" they="" –="" importance="" order="" any="" (not="" follows="" as="" (pki)="" infrastructure="" key="" public="" from="" benefits="" main="">A general point is worth stressing. A PKI, as with any security technique, yields maximum benefit only within the context of a Security Policy. It is necessary to formulate and document precisely what the organisation aims to achieve, in the area of security. The various security techniques, including PKI, can then be linked to specific aims. It is unfortunately the case that security is both costly in itself and is in opposition to usability – the more secure an environment is, the more costly and the less usable; the most usable environment is always the least secure (albeit not necessarily the least costly). A balance has to be struck between a particular level of security and an acceptable cost (in terms of both money and usability). On the other hand, the cost of a severe security breach, in direct financial loss, the costs of rectification, and possible subsequent legal liabilities, can be crippling. The security policy, by documenting what the organisation aims to achieve and the methods it uses to achieve this, serves to concentrate minds and provide a quantitative measure against which to judge performance. It also demonstrates due diligence, and serves as a defence against charges of negligence.